Defining an attribute contract for IdP STS - PingFederate

Defining an attribute contract for IdP STS - PingFederate - 10.0

PingFederate Server

bundle

pingfederate-100

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 10.0

category

Product

pf-100

pingfederate

ContentType_ce

Page created: 12 Sep 2019 |

Page updated: 19 Mar 2020

| 2 min read

PingFederate 10.0 Product Configuration User task WS-Trust Standards, specifications, and protocols Software Deployment Method Product documentation Content Type Administrator Audience

An attribute contract is the set of user attributes that a web service client at your site expects to receive in security tokens issued for this connection (see Attribute contracts). You identify these attributes on the Attribute Contract screen.

Enter the attribute name in the text box.

Attribute names are case-sensitive and must correspond to the attribute names (including claims) expected by the requesting WSC.
Tip:
The Format attribute associated with the NameID element in outgoing SAML tokens may be set when needed by adding an attribute called SAML_NAME_FORMAT. The value of that attribute can then be mapped later (see Configuring contract fulfillment for token creation).

For information about the NameID elements and applicable URI values, locate the SAML 2.0 specification at www.oasis-open.org/standards.

Tip:
You can add a special attribute, SAML_AUTHN_CTX, to indicate to the SP (if required) the type of credentials used to authenticate to the IdP application—authentication context. Map a value for the authentication context on the attribute-mapping screen later in the configuration, from any available attribute source, including the RST if a requested context is specified as a request parameter (see Configuring contract fulfillment for token creation).
Optional: For SAML 1.1 tokens, select a attribute namespace from the list.
This field appears only when the chosen default token type is SAML 1.1 or SAML 1.1 for Office 365 on the WS-Trust STS > Protocol Settings screen.
Change the default namespace selection if you and your SP partner have agreed to a specific namespace.
Note:
As needed, you can customize name-format alternatives in the custom-name-formats.xml configuration file located in the <pf_install>/pingfederate/server/default/data/config-store directory. (Restart of PingFederate is required to activate any changes made to this file.)

(For more information about attribute namespace, see Attribute contracts.)
Click Add.
Repeat until all applicable attributes are defined.

Use the Edit, Update, and Cancel workflow to make or undo a change to an item. Use the Delete and Undelete workflow to remove an item or cancel the removal request.